The invention relates generally to postage meters (franking machines), and relates particularly to systems in which postage meter licenses are managed in a way that is non-identical to the number of associated postal security devices.
It has been well known for many decades to use postage meter which has within a secure housing an accounting means and a printing means. The accounting means includes an ascending register indicative of postage that has been printed, and typically a piece counter indicative of the number of mail pieces that have been printed. In many countries including the United States, the accounting means also includes a descending register indicative of the amount of postage value available to be printed. The printing means is used to print postage indicia on mail pieces, typically by a relief printing die with characteristic fluorescent ink. Such postage meters have worked exceeding well for decades and have proven to be reliable. While it is technically possible to print postal indicia for which no money has been paid to the post office, such fraud is relatively infrequent because it would be readily detectable through physical inspection of the meter for tampering.
The postage meter saves the postal authority from much of the work of printing, stocking and selling postage stamps. When postal rates change, the postage meter user can simply print the new postal amount, while the stamp user must queue up at the post office to purchase stamps in the new denomination.
In recent years it has been proposed to print postal indicia by means of conventional nonsecure printers such as laser printers, ink-jet printers, and thermal transfer printers. Such printers are termed xe2x80x9cnonsecurexe2x80x9d because the printer itself is not in a secure housing and because the communications channel linking the printer to other apparatus is nonsecure.
Under such a proposal, the question naturally arises what would prevent a user from printing the same postal indicium repeatedly, thereby printing postal indicia for which no money has been paid to the post office. The proposed anti-fraud measure is to store information within the indicia which would permit detecting fraud. The indicium would include not only human-readable text such as a date and a postage amount, but would also include machine-readable information, for example by means of a two-dimensional bar code. The machine-readable information would be cryptographically signed, and would include within it some information intended to make fraud more difficult. The information would typically include an identification of the postage meter license (granted by the meter manufacturer or by the postal authorities, depending on the country), an indication of the number of mail pieces franked, the postage amount, a postal security device identifier about which more will be said later, the date and time, and a zip code or post code of the mail piece addressee.
There are, of course, many potential drawbacks to such an approach for printing of postal indicia. A user who intends to defraud the postal service might use a bar-code reader to read the contents of the indicium. (This capability illustrates the pointlessness of trying to give physical security to the printing means or of the communications channel by which the printing means is controlled.) The contents of the bar code could be used to print identical or nearly identical indicia, perhaps at a geographic distance. It would then fall to the postal service to perform an analysis on all or nearly all of the indicia scanned on a particular day, to try to identify duplicates.
Yet another drawback is that it is commonplace for a mail piece to get smudged on the way to the post office or within the post office, prior to the authentication scanning by the post office. If the post office is unable to read the bar code, the post office has to decide whether to return the mail piece to the sender, or risk delivering a mail piece bearing a counterfeit indicium.
The typical apparatus for printing such xe2x80x9cencrypted indiciaxe2x80x9d postage includes what is called a postal security device or PSD. The PSD has a secure housing, and within the secure housing cryptographic authentication and signing for communication with an external device such as the computer of the meter manufacture or of the post office. The engine also permits creation of postal indicia which contain specified information and which are cryptographically signed. The PSD may well be physically small as compared to traditional postage meters. The PSD may be the size of a PCMCIA card or the size of a smart card.
Within the PSD the memory must be protected against unadvertent damage due to malfunction of tile processor of the PSD, for example as set forth in U.S. Pat. No. 5,668,973, Protection system for critical memory information owned by the same assignee as the assignee of the present application. The PSD must handle power failure in a graceful fashion, for example as set forth in U.S. Pat. No. 5,712,542, Postage meter with improved handling of power failure, also owned by the same assignee as the assignee of the present application.
To reduce smudging, the printer may preferably be that described in PCT publication no. 97-46389, Printing apparatus, also owned by the same assignee as the assignee of the present application. While it has been proposed that the PSD contain a real-time clock which is keeping time continuously, desirably this requirement may be avoided as described in PCT publication no. 98-08325, Printing postage with cryptographic clocking security, also owned by the same assignee as the assignee of the present application. PSDs can form part of a network with multiple printers as described in PCT publication no. 98-13790, Proof of postage digital franking, also owned by the same assignee as the assignee of the present application.
The PSD in proposed systems contains the ascending and (optional depending oil country) descending registers, the piece counter, and a xe2x80x9cmeter license numberxe2x80x9d. The meeter license number represents a legal license granted by the postal authority which permits operation of the PSD and the associated printing of postage indicia. It is assumed that the PSD also has a unique identifying number stored within the PSD, but this number is expected to be non-identical to the meter license number. For example, if a PSD were to require service, the PSD manufacturer may take one PSD out of service for a particular customer and place another PSD into service for that particular customer, and yet the meter license number (which pertains to the customer) may remain the same.
It would be advantageous to have a system with great flexibility to accommodate a number of users, or to accommodate the use of several PSDs per user, yet the proposed PSD arrangements are inflexible.
A system is provided in which a single postal security device has a secure housing, and within the secure housing are two or more accounting register sets. Importantly, the two or more accounting register sets are associated with distinct meter licenses. Alternatively, the single postal security device can store a single accounting register set, but is able to transfer the register set to a nonsecure store such as the hard drive of a personal computer, the register set having been cryptographically signed. Later the register set may be retrieved from the nonsecure store and cryptographically authenticated, and restored to its location within the secure housing. In this way, the postal security device may provide service under more than one distinct meter license. In a related embodiment, a single meter license is associated with more than one postal security device, each with its own secure housing. Each register set is configured to permit being reset (refilled with postage) by means of a cryptographically secure exchange of data over a communications channel to external equipment such as a manufacturer""s server or a server operated by the post office.